@oxyhq/core 3.4.1 → 3.4.3

package/dist/esm/mixins/OxyServices.redirect.js

@@ -1,357 +1,92 @@
 import { OxyAuthenticationError } from '../OxyServices.errors.js';
+import { buildSsoBounceUrl, ssoAttemptedKey, ssoDestKey, ssoGuardKey, ssoStateKey, } from '../utils/ssoBounce.js';
 /**
- * Redirect-based Cross-Domain Authentication Mixin
+ * Redirect-based authentication without bearer tokens in URLs.
  *
- * Implements traditional OAuth2 redirect flow as a fallback when popup or
- * FedCM are not available or fail (e.g., mobile browsers, popup blockers).
- *
- * Flow:
- * 1. Save current URL
- * 2. Redirect to auth.oxy.so/login
- * 3. User signs in
- * 4. Redirect back with token in URL
- * 5. Extract token, restore session, clean URL
- *
- * Features:
- * - Works on all browsers (including old mobile browsers)
- * - Automatic URL cleanup after auth
- * - State preservation option
- * - CSRF protection via state parameter
- *
- * Trade-offs:
- * - Loses JavaScript app state (full page navigation)
- * - Visible redirect (user sees navigation)
- * - Slower perceived performance
+ * The redirect fallback now uses the same central SSO code-return contract as
+ * cold boot: the RP stores CSRF/destination state in sessionStorage, navigates
+ * to the central IdP, receives only an opaque one-time code in the URL fragment,
+ * and the provider's `sso-return` step exchanges that code for the real session.
  */
 export function OxyServicesRedirectAuthMixin(Base) {
-    var _a;
-    return _a = class extends Base {
-            constructor(...args) {
-                super(...args);
-            }
-            /**
-             * Sign in using full page redirect
-             *
-             * Redirects the user to auth.oxy.so for authentication. After successful
-             * sign-in, the user will be redirected back to the current page (or custom
-             * redirect URI) with authentication tokens in the URL.
-             *
-             * Call handleAuthCallback() on app startup to complete the flow.
-             *
-             * @param options - Redirect configuration options
-             *
-             * @example
-             * ```typescript
-             * // Initiate sign-in
-             * const handleSignIn = () => {
-             *   oxyServices.signInWithRedirect();
-             * };
-             *
-             * // Handle callback on app startup
-             * useEffect(() => {
-             *   const session = oxyServices.handleAuthCallback();
-             *   if (session) {
-             *     setUser(session.user);
-             *   }
-             * }, []);
-             * ```
-             */
-            signInWithRedirect(options = {}) {
-                if (typeof window === 'undefined') {
-                    throw new OxyAuthenticationError('Redirect authentication requires browser environment');
-                }
-                const redirectUri = options.redirectUri || window.location.href;
-                const mode = options.mode || 'login';
-                const state = this.generateState();
-                const nonce = this.generateNonce();
-                // Store state for CSRF protection
-                this.storeAuthState(state, nonce);
-                // Save current URL to restore after auth (optional)
-                if (options.preserveUrl !== false) {
-                    this.savePreAuthUrl(window.location.href);
-                }
-                const authUrl = this.buildAuthUrl({
-                    mode,
-                    redirectUri,
-                    state,
-                    nonce,
-                    clientId: window.location.origin,
-                });
-                // Perform redirect
-                window.location.href = authUrl;
-            }
-            /**
-             * Sign up using full page redirect
-             *
-             * Same as signInWithRedirect but opens the signup page by default.
-             */
-            signUpWithRedirect(options = {}) {
-                this.signInWithRedirect({ ...options, mode: 'signup' });
-            }
-            /**
-             * Handle authentication callback
-             *
-             * Call this on app startup to check if the current page load is a
-             * redirect back from the authentication server. If it is, this method
-             * will extract the tokens, store them, and clean up the URL.
-             *
-             * @returns Session data if this is a callback, null otherwise
-             * @throws {OxyAuthenticationError} If state validation fails (CSRF attack)
-             *
-             * @example
-             * ```typescript
-             * // In your app's root component or startup logic
-             * useEffect(() => {
-             *   try {
-             *     const session = oxyServices.handleAuthCallback();
-             *     if (session) {
-             *       console.log('Logged in:', session.user);
-             *       setUser(session.user);
-             *     } else {
-             *       // Not a callback, check for existing session
-             *       const restored = oxyServices.restoreSession();
-             *       if (!restored) {
-             *         // No session, show login button
-             *       }
-             *     }
-             *   } catch (error) {
-             *     console.error('Auth callback failed:', error);
-             *   }
-             * }, []);
-             * ```
-             */
-            handleAuthCallback() {
-                if (typeof window === 'undefined') {
-                    return null;
-                }
-                const url = new URL(window.location.href);
-                const accessToken = url.searchParams.get('access_token');
-                const sessionId = url.searchParams.get('session_id');
-                const expiresAt = url.searchParams.get('expires_at');
-                const state = url.searchParams.get('state');
-                const error = url.searchParams.get('error');
-                const errorDescription = url.searchParams.get('error_description');
-                // Check if this is an error callback
-                if (error) {
-                    this.clearAuthState();
-                    throw new OxyAuthenticationError(errorDescription || error);
-                }
-                // Check if this is an auth callback
-                if (!accessToken || !sessionId) {
-                    return null; // Not a callback
-                }
-                // Verify state to prevent CSRF attacks
-                const savedState = this.getStoredState();
-                if (!savedState || state !== savedState) {
-                    this.clearAuthState();
-                    throw new OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.');
-                }
-                // Store tokens
-                this.storeTokens(accessToken, sessionId);
-                this.httpService.setTokens(accessToken);
-                // Build session response (minimal — full user data is fetched separately
-                // by the caller via getCurrentUser() once tokens are stored).
-                const session = {
-                    sessionId,
-                    deviceId: '', // Not available in redirect flow
-                    expiresAt: expiresAt || new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-                    // Placeholder user — caller MUST fetch real user data via getCurrentUser()
-                    // before exposing this session to the application. The empty id signals
-                    // that the user payload has not yet been populated.
-                    user: { id: '', username: '' },
-                };
-                // Clean up URL (remove auth parameters)
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Start a full-page redirect through the central SSO flow.
+         *
+         * No access token, refresh token, or session id is ever put in the URL or
+         * localStorage. The caller's provider must run `consumeSsoReturn` on startup
+         * to complete the code exchange and commit the session.
+         */
+        signInWithRedirect(options = {}) {
+            if (typeof window === 'undefined' || typeof window.sessionStorage === 'undefined') {
+                throw new OxyAuthenticationError('Redirect authentication requires browser sessionStorage');
+            }
+            const origin = window.location.origin;
+            const state = this.generateState();
+            const destination = options.preserveUrl === false
+                ? (options.redirectUri || origin)
+                : (options.redirectUri || window.location.href);
+            window.sessionStorage.setItem(ssoStateKey(origin), state);
+            window.sessionStorage.setItem(ssoGuardKey(origin), String(Date.now()));
+            window.sessionStorage.setItem(ssoDestKey(origin), destination);
+            window.sessionStorage.setItem(ssoAttemptedKey(origin), '1');
+            window.location.assign(buildSsoBounceUrl(origin, state, this.config.authWebUrl));
+        }
+        signUpWithRedirect(options = {}) {
+            this.signInWithRedirect({ ...options, mode: 'signup' });
+        }
+        /**
+         * Legacy token-query callbacks are intentionally rejected. Modern providers
+         * complete redirect auth through `consumeSsoReturn`, which accepts only
+         * `#oxy_sso=ok&code=...`.
+         */
+        handleAuthCallback() {
+            if (typeof window === 'undefined') {
+                return null;
+            }
+            const url = new URL(window.location.href);
+            if (url.searchParams.has('access_token') || url.searchParams.has('session_id')) {
                 this.cleanAuthCallbackUrl(url);
-                // Clean up storage
-                this.clearAuthState();
-                return session;
-            }
-            /**
-             * Restore session from storage
-             *
-             * Attempts to restore a previously authenticated session from localStorage.
-             * Call this on app startup if handleAuthCallback() returns null.
-             *
-             * @returns True if session was restored, false otherwise
-             *
-             * @example
-             * ```typescript
-             * useEffect(() => {
-             *   const session = oxyServices.handleAuthCallback();
-             *   if (!session) {
-             *     const restored = oxyServices.restoreSession();
-             *     if (!restored) {
-             *       // No session, user needs to sign in
-             *       setShowLogin(true);
-             *     }
-             *   }
-             * }, []);
-             * ```
-             */
-            restoreSession() {
-                if (typeof window === 'undefined') {
-                    return false;
-                }
-                const token = localStorage.getItem(this.constructor.TOKEN_STORAGE_KEY);
-                const sessionId = localStorage.getItem(this.constructor.SESSION_STORAGE_KEY);
-                if (token && sessionId) {
-                    this.httpService.setTokens(token);
-                    return true;
-                }
-                return false;
-            }
-            /**
-             * Clear stored session
-             *
-             * Removes all authentication data from storage. Call this on logout.
-             */
-            clearStoredSession() {
-                if (typeof window === 'undefined') {
-                    return;
-                }
-                localStorage.removeItem(this.constructor.TOKEN_STORAGE_KEY);
-                localStorage.removeItem(this.constructor.SESSION_STORAGE_KEY);
-                this.httpService.clearTokens();
-            }
-            /**
-             * Get stored session ID
-             */
-            getStoredSessionId() {
-                if (typeof window === 'undefined') {
-                    return null;
-                }
-                return localStorage.getItem(this.constructor.SESSION_STORAGE_KEY);
-            }
-            /**
-             * Build authentication URL with query parameters
-             *
-             * @private
-             */
-            buildAuthUrl(params) {
-                const url = new URL(`${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/${params.mode}`);
-                url.searchParams.set('redirect_uri', params.redirectUri);
-                url.searchParams.set('state', params.state);
-                url.searchParams.set('nonce', params.nonce);
-                url.searchParams.set('client_id', params.clientId);
-                url.searchParams.set('response_type', 'token');
-                return url.toString();
-            }
-            /**
-             * Store tokens in localStorage
-             *
-             * @private
-             */
-            storeTokens(accessToken, sessionId) {
-                if (typeof window === 'undefined') {
-                    return;
-                }
-                localStorage.setItem(this.constructor.TOKEN_STORAGE_KEY, accessToken);
-                localStorage.setItem(this.constructor.SESSION_STORAGE_KEY, sessionId);
-            }
-            /**
-             * Generate cryptographically secure state for CSRF protection
-             *
-             * @private
-             */
-            generateState() {
-                if (typeof crypto !== 'undefined' && crypto.randomUUID) {
-                    return crypto.randomUUID();
-                }
-                if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-                    const bytes = new Uint8Array(16);
-                    crypto.getRandomValues(bytes);
-                    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
-                }
-                throw new Error('No secure random source available for state generation');
-            }
-            /**
-             * Generate nonce for replay attack prevention
-             *
-             * @private
-             */
-            generateNonce() {
-                if (typeof crypto !== 'undefined' && crypto.randomUUID) {
-                    return crypto.randomUUID();
-                }
-                if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-                    const bytes = new Uint8Array(16);
-                    crypto.getRandomValues(bytes);
-                    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
-                }
-                throw new Error('No secure random source available for nonce generation');
-            }
-            /**
-             * Store auth state in session storage
-             *
-             * @private
-             */
-            storeAuthState(state, nonce) {
-                if (typeof window === 'undefined') {
-                    return;
-                }
-                sessionStorage.setItem(this.constructor.STATE_STORAGE_KEY, state);
-                sessionStorage.setItem(this.constructor.NONCE_STORAGE_KEY, nonce);
-            }
-            /**
-             * Get stored state
-             *
-             * @private
-             */
-            getStoredState() {
-                if (typeof window === 'undefined') {
-                    return null;
-                }
-                return sessionStorage.getItem(this.constructor.STATE_STORAGE_KEY);
-            }
-            /**
-             * Clear auth state from storage
-             *
-             * @private
-             */
-            clearAuthState() {
-                if (typeof window === 'undefined') {
-                    return;
-                }
-                sessionStorage.removeItem(this.constructor.STATE_STORAGE_KEY);
-                sessionStorage.removeItem(this.constructor.NONCE_STORAGE_KEY);
-                sessionStorage.removeItem(this.constructor.PRE_AUTH_URL_KEY);
-            }
-            /**
-             * Save pre-authentication URL to restore later
-             *
-             * @private
-             */
-            savePreAuthUrl(url) {
-                if (typeof window === 'undefined') {
-                    return;
-                }
-                sessionStorage.setItem(this.constructor.PRE_AUTH_URL_KEY, url);
-            }
-            /**
-             * Clean authentication parameters from URL
-             *
-             * @private
-             */
-            cleanAuthCallbackUrl(url) {
-                // Remove auth parameters
-                url.searchParams.delete('access_token');
-                url.searchParams.delete('session_id');
-                url.searchParams.delete('expires_at');
-                url.searchParams.delete('state');
-                url.searchParams.delete('nonce');
-                url.searchParams.delete('error');
-                url.searchParams.delete('error_description');
-                // Update URL without reloading page
-                window.history.replaceState({}, '', url.toString());
-            }
-        },
-        _a.DEFAULT_AUTH_URL = 'https://auth.oxy.so',
-        _a.TOKEN_STORAGE_KEY = 'oxy_access_token',
-        _a.SESSION_STORAGE_KEY = 'oxy_session_id',
-        _a.STATE_STORAGE_KEY = 'oxy_auth_state',
-        _a.PRE_AUTH_URL_KEY = 'oxy_pre_auth_url',
-        _a.NONCE_STORAGE_KEY = 'oxy_auth_nonce',
-        _a;
+                throw new OxyAuthenticationError('Legacy access-token redirect callbacks are no longer accepted.');
+            }
+            return null;
+        }
+        restoreSession() {
+            return false;
+        }
+        clearStoredSession() {
+            this.httpService.clearTokens();
+        }
+        getStoredSessionId() {
+            return null;
+        }
+        generateState() {
+            if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+                return crypto.randomUUID();
+            }
+            if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+                const bytes = new Uint8Array(16);
+                crypto.getRandomValues(bytes);
+                return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+            }
+            throw new Error('No secure random source available for state generation');
+        }
+        generateNonce() {
+            return this.generateState();
+        }
+        cleanAuthCallbackUrl(url) {
+            url.searchParams.delete('access_token');
+            url.searchParams.delete('session_id');
+            url.searchParams.delete('expires_at');
+            url.searchParams.delete('state');
+            url.searchParams.delete('nonce');
+            url.searchParams.delete('error');
+            url.searchParams.delete('error_description');
+            window.history.replaceState({}, '', url.toString());
+        }
+    };
 }
-// Export the mixin function as both named and default
 export { OxyServicesRedirectAuthMixin as RedirectAuthMixin };

package/dist/esm/mixins/OxyServices.silent.js

@@ -0,0 +1,202 @@
+import { createDebugLogger } from "../shared/utils/debugUtils.js";
+const debug = createDebugLogger("SilentAuth");
+/**
+ * Cross-domain silent browser auth helpers.
+ *
+ * The clean session model supports FedCM, tokenless redirect SSO, and silent
+ * iframe SSO. Bearer-token callback URLs are not part of this surface.
+ */
+export function OxyServicesSilentAuthMixin(Base) {
+    var _a;
+    return _a = class extends Base {
+            constructor(...args) {
+                super(...args);
+            }
+            /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+            resolveAuthUrl() {
+                return (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL);
+            }
+            /**
+             * Silent sign-in using hidden iframe
+             *
+             * Attempts to automatically re-authenticate the user without any UI.
+             * This is what enables seamless SSO across all Oxy domains.
+             *
+             * How it works:
+             * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
+             * 2. If user has valid session at auth.oxy.so, it exchanges an opaque SSO code
+             * 3. If not, iframe responds with null (no error thrown)
+             *
+             * This should be called on app startup to check for existing sessions.
+             *
+             * @param options - Silent auth options
+             * @returns Session if user is signed in, null otherwise
+             *
+             * @example
+             * ```typescript
+             * useEffect(() => {
+             *   const checkAuth = async () => {
+             *     const session = await oxyServices.silentSignIn();
+             *     if (session) {
+             *       setUser(session.user);
+             *     }
+             *   };
+             *   checkAuth();
+             * }, []);
+             * ```
+             */
+            async silentSignIn(options = {}) {
+                if (typeof window === "undefined") {
+                    return null;
+                }
+                const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
+                const nonce = this.generateNonce();
+                const clientId = window.location.origin;
+                // Resolve the IdP origin for the iframe. An explicit per-apex override (the
+                // durable cross-domain reload path — see `SilentAuthOptions.authWebUrlOverride`)
+                // wins over the instance's configured central auth URL. The SAME origin is
+                // handed to `waitForIframeAuth` so the postMessage origin check matches the
+                // exact host the iframe was loaded from.
+                const authOrigin = options.authWebUrlOverride && options.authWebUrlOverride.length > 0
+                    ? options.authWebUrlOverride
+                    : this.resolveAuthUrl();
+                const iframe = document.createElement("iframe");
+                iframe.style.display = "none";
+                iframe.style.position = "absolute";
+                iframe.style.width = "0";
+                iframe.style.height = "0";
+                iframe.style.border = "none";
+                const silentUrl = `${authOrigin}/auth/silent?` +
+                    `client_id=${encodeURIComponent(clientId)}&` +
+                    `nonce=${nonce}`;
+                iframe.src = silentUrl;
+                document.body.appendChild(iframe);
+                try {
+                    const session = await this.waitForIframeAuth(iframe, timeout, authOrigin);
+                    // Bail early on incomplete responses. The iframe contract requires
+                    // both an access token and a session id; anything less is unusable.
+                    // Returning `null` here (without installing the token) prevents a
+                    // stale credential from being committed to HttpService when the
+                    // user is actually signed out — that pattern caused a `getCurrentUser`
+                    // -> 401 -> token-clear loop in consumer apps because callers gated
+                    // on `session?.user` and never installed the user via
+                    // `handleAuthSuccess`, while HttpService quietly held the token.
+                    const accessToken = session
+                        ? session.accessToken
+                        : undefined;
+                    if (!session || !accessToken || !session.sessionId) {
+                        return null;
+                    }
+                    // Snapshot the previous token so we can roll back if the user
+                    // lookup below fails — this avoids leaving a half-committed session
+                    // (token installed, user missing) which would let the next
+                    // authenticated request 401 with no way to recover.
+                    const previousAccessToken = this.httpService.getAccessToken();
+                    this.httpService.setTokens(accessToken);
+                    // The iframe typically returns `{ sessionId, accessToken }` without
+                    // user data. Fetch the user explicitly so callers receive a
+                    // fully-formed session and never need a second `/users/me` round
+                    // trip. If this fails the session is unusable — revert the token
+                    // and return null so the caller treats this exactly like a
+                    // missing-session response.
+                    if (!session.user) {
+                        try {
+                            const userData = await this.makeRequest("GET", `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
+                            if (!userData) {
+                                throw new Error("Empty user response");
+                            }
+                            session.user = userData;
+                        }
+                        catch (userError) {
+                            debug.warn("silentSignIn: failed to fetch user data, rolling back token", userError);
+                            if (previousAccessToken) {
+                                this.httpService.setTokens(previousAccessToken);
+                            }
+                            else {
+                                this.httpService.clearTokens();
+                            }
+                            return null;
+                        }
+                    }
+                    return session;
+                }
+                catch (error) {
+                    return null;
+                }
+                finally {
+                    document.body.removeChild(iframe);
+                }
+            }
+            /**
+             * Wait for authentication response from iframe
+             *
+             * @private
+             */
+            async waitForIframeAuth(iframe, timeout, expectedOrigin) {
+                return new Promise((resolve) => {
+                    const timeoutId = setTimeout(() => {
+                        cleanup();
+                        resolve(null); // Silent failure - don't throw
+                    }, timeout);
+                    const messageHandler = (event) => {
+                        // Verify origin against the EXACT host the iframe was loaded from
+                        // (`expectedOrigin`). For the per-apex durable-restore path this is
+                        // `auth.<rp-apex>`, not the instance's central `resolveAuthUrl()` — so
+                        // we must honour the caller-supplied origin, never re-derive it here.
+                        if (event.origin !== expectedOrigin) {
+                            return;
+                        }
+                        const { type, session } = event.data;
+                        if (type !== "oxy_silent_auth") {
+                            return;
+                        }
+                        cleanup();
+                        resolve(session || null);
+                    };
+                    // Fail-fast on a load failure. When the per-apex `/auth/silent` host is
+                    // unreachable, blocked by CSP `frame-ancestors`/`X-Frame-Options`, or the
+                    // network drops, the iframe never posts a message — without this handler
+                    // the silent restore would block for the FULL `timeout` (dead latency in
+                    // the cold-boot critical path). `onerror`/`onabort` fire on a failed load,
+                    // so resolve `null` immediately and let the next cold-boot step run. The
+                    // success path posts a message and is handled above; these only catch the
+                    // no-message failure modes.
+                    const failFast = () => {
+                        cleanup();
+                        resolve(null);
+                    };
+                    iframe.onerror = failFast;
+                    iframe.onabort = failFast;
+                    const cleanup = () => {
+                        clearTimeout(timeoutId);
+                        iframe.onerror = null;
+                        iframe.onabort = null;
+                        window.removeEventListener("message", messageHandler);
+                    };
+                    window.addEventListener("message", messageHandler);
+                });
+            }
+            /**
+             * Generate nonce for replay attack prevention
+             *
+             * @private
+             */
+            generateNonce() {
+                if (typeof crypto !== "undefined" && crypto.randomUUID) {
+                    return crypto.randomUUID();
+                }
+                if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+                    const bytes = new Uint8Array(16);
+                    crypto.getRandomValues(bytes);
+                    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+                }
+                throw new Error("No secure random source available for nonce generation");
+            }
+        },
+        _a.DEFAULT_AUTH_URL = "https://auth.oxy.so",
+        _a.SILENT_TIMEOUT = 5000 // 5 seconds
+    ,
+        _a;
+}
+// Export the mixin function as both named and default
+export { OxyServicesSilentAuthMixin as SilentAuthMixin };